17 February 2022

HTTPSC2DoneRight (and Working)

tl;dr If you want an updated and working copy of httpsc2doneright, grab it here - https://github.com/FortyNorthSecurity/RandomScripts/blob/main/Cobalt Scripts/httpsc2doneright.sh

If you're a Cobalt Strike user, it's almost certain that at some point you've used Alex Rymdeko-Harvey's httpsc2doneright script. In a nutshell, it automates the process of requesting a Let's Encrypt certificate and converts it into a format usable by Cobalt Strike for your HTTPS comms. However, it no longer works.

The script relied on calling letsencrypt-auto, which might not be supported depending on the Linux distro you are using.

Thankfully, this is easily updated by directly calling certbot after installing it from apt. Outside of asking for you to provide the domain you want a certificate for, a password for the java keystore, and the path to Cobalt Strike (where the profile and keystore will be saved), the updated script is still automated and will finish with a sample Amazon profile configured to use the java keystore for HTTPS comms. All that's left for you to do is copy that block of code into your actual malleable profile (perhaps one that is generated by C2Concealer) and then you're set for HTTPS with a legitimate certificate.

A few smaller things have been updated, such as if a dependency isn't met, the script will auto-download it and continue with obtaining the SSL cert and generating the keystore.

Now, would you use a HTTPS certificate from Let's Encrypt for your C2 comms? Maybe not on a red team, but possibly if you have something in between you and the targeted system such as a CDN, or an Azure Function, which only requires a valid certificate and will not present your Let's Encrypt cert to the endpoint. That's going to be scenario dependent, and a call for you to make. Regardless, this script helps to automate some steps and save you some time.

We hope you found this quick update useful. If you have any feedback, we'd love to hear it! As always, you can reach us via Twitter, LinkedIn, and through our website.

FortyNorth acquired by Red Siege!

We are happy to announce that FortyNorth Security has been acquired by Red Siege! Riskatto remains a separate product owned and operated by the creators of the product. Details on the announcment can be found here. Check out 👇 Red Siege Riskatto

HTTPSC2DoneRight (and Working)

HTTPSC2DoneRight (and Working)

We are happy to announce that FortyNorth Security has been acquired by Red Siege! Riskatto remains a separate product owned and operated by the creators of the product. Details on the announcment can be found here.

Check out 👇

Red Siege

Riskatto